Disabling Encrypted Client Hello (ECH)
Why Disable ECH?
Roskomnadzor (Russian telecommunications regulator) has blocked the Encrypted Client Hello (ECH) technology, causing issues for Cloudflare users in Russia. Moreover, Cloudflare has forcibly enabled this technology for all users, including those on the free tier.
This guide will show you how to disable ECH for your domain using the Cloudflare API.
Step 1: Check if ECH is Enabled
Before disabling ECH, verify whether it’s enabled for your domain. You can do this using a Google Public DNS query:
- Navigate to the following link, replacing
[YOUR_DOMAIN]with your domain name:
https://dns.google/resolve?name=[YOUR_DOMAIN]&type=HTTPS- If the results show that ECH is active, proceed to the next step.
Example: For the domain example.com, the link would look like:
https://dns.google/resolve?name=example.com&type=HTTPSStep 2: Obtain Cloudflare API Credentials
To interact with the API, you’ll need two key elements:
Global API Key
- Go to the Cloudflare profile page
- Find the section with your Global API Key and copy the key
Zone ID
- Log in to your domain’s Cloudflare dashboard
- Scroll down the page in the right column
- Copy the Zone ID value
Step 3: Disable ECH via Cloudflare API
Method 1: Using curl Command
To disable ECH, execute the following command in your terminal, replacing {ID_ZONE}, {ACCOUNT_EMAIL}, and {GLOBAL_API_KEY} with your data:
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/{ID_ZONE}/settings/ech" \
-H "X-Auth-Email: {ACCOUNT_EMAIL}" \
-H "X-Auth-Key: {GLOBAL_API_KEY}" \
-H "Content-Type: application/json" \
--data '{"id":"ech","value":"off"}'Example:
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/abc123def456/settings/ech" \
-H "X-Auth-Email: [email protected]" \
-H "X-Auth-Key: c2547eb745079dac9320b638f5e225cf483cc5cfdda41" \
-H "Content-Type: application/json" \
--data '{"id":"ech","value":"off"}'Method 2: Using Postman
You can execute this request through Postman by following these instructions:
1. Request Setup
- Method:
PATCH - URL:
https://api.cloudflare.com/client/v4/zones/{ID_ZONE}/settings/ech2. Headers Setup
In the Headers section, add the following fields:
| Key | Value |
|---|---|
X-Auth-Email |
your Cloudflare email address |
X-Auth-Key |
your Global API Key |
Content-Type |
application/json |
3. Body Setup
In the Body section, select raw and JSON, then enter:
{
"id": "ech",
"value": "off"
}4. Send Request
Click the Send button and wait for the server response.
Method 3: For Paid Plans
If you’re using a paid Cloudflare plan, you can disable ECH through the dashboard interface:
- Navigate to the SSL/TLS section
- Open the Edge Certificates tab
- Find the Encrypted ClientHello (ECH) setting
- Set the value to Disabled
Verify the Results
After disabling ECH, it’s recommended to verify the changes:
- Wait 5-10 minutes for the settings to apply
- Run the Google Public DNS check again (Step 1)
- Check your website’s accessibility for users from Russia
Common Issues and Solutions
Authentication Error
Problem: Receiving Authentication error or Invalid credentials
Solution:
- Verify your email address is correct
- Ensure you’ve copied the Global API Key completely
- Check that you haven’t added extra spaces when copying
Zone ID Error
Problem: Receiving Zone not found error
Solution:
- Make sure the Zone ID is copied correctly
- Verify you’re using the Zone ID for the domain you want to modify
ECH Doesn’t Disable
Problem: After executing the command, ECH remains enabled
Solution:
- Wait 10-15 minutes for changes to apply
- Clear the DNS cache on your device
- Retry the API request
Additional Resources
- Official Cloudflare API Documentation
- SSL/TLS Configuration Guide for Cloudflare
- Cloudflare Community